adjust openvpn_otp_auth.py to support auth-token with MFA

Viscosity Menu Icon Packs, Two-Factor Scripts, & OpenVPN Config Tool

pmazanec

Posts: 3
Joined: Wed Mar 27, 2019 5:49 am

Post by pmazanec » Wed Mar 27, 2019 5:59 am
Hello,

I've configured openvpn server to use YubiKey OTP using your script openvpn_otp_auth.py (howto: https://www.sparklabs.com/support/kb/ar ... viscosity/)

All is working fine, however, I'm using reneg-sec parameter in my server config, which causes viscosity to ask new Yubikey OTP every time keys renegotiation happens.

Would it be possible for you to implement auth-token support into openvpn_otp_auth.py, similar as here?
https://www.crc.id.au/openvpn-otp-with-a-yubikey/
https://www.crc.id.au/files/yubikey-auth-tokens

I know "reneg-sec 0" is a "work-around", but it's not a very secure one.

Many thanks

Eric

User avatar
Posts: 851
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Wed Mar 27, 2019 11:44 am
Hi pmazanec,

Edit your server configuration and on a new line add:

auth-gen-token

Restart your server and then connect again. This should generate a token that should be used for renegotiation without needing to use your token or make any modifications to our script.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

pmazanec

Posts: 3
Joined: Wed Mar 27, 2019 5:49 am

Post by pmazanec » Thu Mar 28, 2019 11:10 pm
Hello Eric, thanks a lot for the answer.

It works almost perfectly, only it doesn't disconnect the client on token expiry. Server closes the connection but viscosity still shows it's connected. Do you have any ideas for that?

Configs below (private info replaced with Xes)

# details:
os: Amazon Linux 2 64bit

openvpn version:
openvpn-2.4.7-1.el7.x86_64 (from epel repo)
OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019

viscosity:
1.7.14 (1480) (registered)


server.conf
Code: Select all
port 443
proto udp4
dev tun0
topology subnet
server 172.27.65.0 255.255.255.0
ifconfig-pool-persist ipp.txt

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-crypt /etc/openvpn/server.tlsauth
remote-cert-eku "TLS Web Client Authentication"

cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"

user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
explicit-exit-notify

status /var/log/openvpn-status.log
 verb 3

username-as-common-name
client-cert-not-required
reneg-sec 10
auth-gen-token 20

auth-user-pass-verify /etc/openvpn/openvpn_otp_auth.py via-env
script-security 3
client.conf
Code: Select all
client
pull
tls-client
proto udp
remote vpn.xxx.xxx 443 udp
resolv-retry infinite
dev tun
nobind
auth-nocache
topology subnet
user nobody
group nobody
auth-user-pass
explicit-exit-notify
static-challenge "Activate your YubiKey" 0
remote-cert-eku "TLS Web Server Authentication"

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
</ca>
log file, verb 3:
Code: Select all

### first connect/authentication
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:58658, sid=50c047a9 622deb27
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 TLS: Username/Password authentication succeeded for username 'pmazanec' [CN SET]
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 [pmazanec] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:58658
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI_sva: pool returned IPv4=172.27.65.2, IPv6=(Not enabled)
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI: Learn: 172.27.65.2 -> pmazanec/XX.XX.XX.XX:58658
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI: primary virtual IP for pmazanec/XX.XX.XX.XX:58658: 172.27.65.2
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 PUSH: Received control message: 'PUSH_REQUEST'
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 SENT CONTROL [pmazanec]: 'PUSH_REPLY,compress lz4-v2,route-gateway 172.27.65.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.65.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,auth-token' (status=1)
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

### key regeneration #1 - token auth succeeded
Mar 28 11:48:25 openvpn[32160]: Thu Mar 28 11:48:25 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=72/-1 pkts=1/0
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 TLS: Username/auth-token authentication succeeded for username 'pmazanec' [CN SET]
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384

### key regeneration #2 - token expired, viscosity still connected
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=76/-1 pkts=2/0
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 Auth-token for client expired
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384

### key regeneration #3 - token expired, viscosity still connected, openvpn_otp_auth.py exited with `1` (??)
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XX.XX.XX.XX:58658 [2]
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=0/-1 pkts=0/0
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384


Mar 28 11:48:56 openvpn[32160]: Thu Mar 28 11:48:56 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=0/-1 pkts=0/0
Mar 28 11:48:56 openvpn[32160]: Thu Mar 28 11:48:56 2019 pmazanec/XX.XX.XX.XX:58658 SIGTERM[soft,auth-control-exit] received, client-instance exiting

Eric

User avatar
Posts: 851
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Mar 29, 2019 11:49 am
Hi pmazanec,

I would expect the client to take two minutes (120 seconds, per your ping-restart) to fail, the server does not explicitly tell the client it has failed renegotiation with an auth-token. A copy of your client log would help to see what is going on as well - https://sparklabs.com/support/kb/articl ... envpn-log/

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

pmazanec

Posts: 3
Joined: Wed Mar 27, 2019 5:49 am

Post by pmazanec » Mon Apr 01, 2019 6:43 pm
Hello Eric,

yes, that's exactly what's happening. Server closes the connection without letting the client know the token has expired. Client then restarts the connection only after keepalive is expired, but I don't find this very convenient .. It looks like a bug/missing implementation of auth-gen-token in openvpn :(

When token generation/validation is directly in the auth script as I suggested, all this is in your hands.

Pavol

Eric

User avatar
Posts: 851
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Apr 02, 2019 5:20 pm
Hi Pavol,

You are most welcome to modify the provided scripts to suit your needs. Alternatively, the scripts you linked in your original post may better suit your needs, this choice is up to you. I'm afraid we however won't be making the changes to our script that you suggested as for the vast majority of users, auth-gen-token without an expiry would suit their needs.

If you want to run auth-gen-token with a small timeout, you will need to reduce your keep-alive values to match.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
6 posts Page 1 of 1